Apply by doing: cd /usr/src patch -p0 < 010_bind.patch Then rebuild and install bind: cd usr.sbin/bind make -f Makefile.bsd-wrapper obj make -f Makefile.bsd-wrapper make -f Makefile.bsd-wrapper install Index: usr.sbin/bind/bin/named/query.c =================================================================== RCS file: /cvs/src/usr.sbin/bind/bin/named/query.c,v retrieving revision 1.4 retrieving revision 1.4.6.1 diff -u -p -r1.4 -r1.4.6.1 --- usr.sbin/bind/bin/named/query.c 28 Sep 2004 17:14:03 -0000 1.4 +++ usr.sbin/bind/bin/named/query.c 5 Sep 2006 19:42:24 -0000 1.4.6.1 @@ -2389,7 +2389,7 @@ query_find(ns_client_t *client, dns_fetc is_zone = ISC_FALSE; qtype = event->qtype; - if (qtype == dns_rdatatype_rrsig) + if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) type = dns_rdatatype_any; else type = qtype; @@ -2430,7 +2430,7 @@ query_find(ns_client_t *client, dns_fetc /* * If it's a SIG query, we'll iterate the node. */ - if (qtype == dns_rdatatype_rrsig) + if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) type = dns_rdatatype_any; else type = qtype; Index: usr.sbin/bind/lib/dns/resolver.c =================================================================== RCS file: /cvs/src/usr.sbin/bind/lib/dns/resolver.c,v retrieving revision 1.9 retrieving revision 1.9.4.1 diff -u -p -r1.9 -r1.9.4.1 --- usr.sbin/bind/lib/dns/resolver.c 21 Aug 2005 02:26:22 -0000 1.9 +++ usr.sbin/bind/lib/dns/resolver.c 5 Sep 2006 19:42:24 -0000 1.9.4.1 @@ -728,7 +728,8 @@ fctx_sendevents(fetchctx_t *fctx, isc_re INSIST(result != ISC_R_SUCCESS || dns_rdataset_isassociated(event->rdataset) || fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig); + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig); isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event)); } @@ -3153,7 +3154,8 @@ validated(isc_task_t *task, isc_event_t if (hevent != NULL) { if (!negative && !chaining && (fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig)) { + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig)) { /* * Don't bind rdatasets; the caller * will iterate the node. @@ -3265,7 +3267,8 @@ validated(isc_task_t *task, isc_event_t if (!ISC_LIST_EMPTY(fctx->validators)) { INSIST(!negative); INSIST(fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig); + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig); /* * Don't send a response yet - we have * more rdatasets that still need to @@ -3411,14 +3414,15 @@ cache_name(fetchctx_t *fctx, dns_name_t return (result); anodep = &event->node; /* - * If this is an ANY or SIG query, we're not going - * to return any rdatasets, unless we encountered + * If this is an ANY, SIG or RRSIG query, we're not + * going to return any rdatasets, unless we encountered * a CNAME or DNAME as "the answer". In this case, * we're going to return DNS_R_CNAME or DNS_R_DNAME * and we must set up the rdatasets. */ if ((fctx->type != dns_rdatatype_any && - fctx->type != dns_rdatatype_rrsig) || + fctx->type != dns_rdatatype_rrsig && + fctx->type != dns_rdatatype_sig) || (name->attributes & DNS_NAMEATTR_CHAINING) != 0) { ardataset = event->rdataset; asigrdataset = event->sigrdataset; @@ -3477,7 +3481,7 @@ cache_name(fetchctx_t *fctx, dns_name_t */ if (secure_domain && rdataset->trust != dns_trust_glue) { /* - * SIGs are validated as part of validating the + * RRSIGs are validated as part of validating the * type they cover. */ if (rdataset->type == dns_rdatatype_rrsig) @@ -3547,7 +3551,8 @@ cache_name(fetchctx_t *fctx, dns_name_t if (ANSWER(rdataset) && need_validation) { if (fctx->type != dns_rdatatype_any && - fctx->type != dns_rdatatype_rrsig) { + fctx->type != dns_rdatatype_rrsig && + fctx->type != dns_rdatatype_sig) { /* * This is The Answer. We will * validate it, but first we cache @@ -3742,23 +3747,28 @@ ncache_adderesult(dns_message_t *message isc_result_t *eresultp) { isc_result_t result; + dns_rdataset_t rdataset; + + if (ardataset == NULL) { + dns_rdataset_init(&rdataset); + ardataset = &rdataset; + } result = dns_ncache_add(message, cache, node, covers, now, maxttl, ardataset); - if (result == DNS_R_UNCHANGED) { + if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) { /* - * The data in the cache are better than the negative cache - * entry we're trying to add. + * If the cache now contains a negative entry and we + * care about whether it is DNS_R_NCACHENXDOMAIN or + * DNS_R_NCACHENXRRSET then extract it. */ - if (ardataset != NULL && ardataset->type == 0) { + if (ardataset->type == 0) { /* - * The cache data is also a negative cache - * entry. + * The cache data is a negative cache entry. */ if (NXDOMAIN(ardataset)) *eresultp = DNS_R_NCACHENXDOMAIN; else *eresultp = DNS_R_NCACHENXRRSET; - result = ISC_R_SUCCESS; } else { /* * Either we don't care about the nature of the @@ -3770,14 +3780,11 @@ ncache_adderesult(dns_message_t *message * XXXRTH There's a CNAME/DNAME problem here. */ *eresultp = ISC_R_SUCCESS; - result = ISC_R_SUCCESS; } - } else if (result == ISC_R_SUCCESS) { - if (NXDOMAIN(ardataset)) - *eresultp = DNS_R_NCACHENXDOMAIN; - else - *eresultp = DNS_R_NCACHENXRRSET; + result = ISC_R_SUCCESS; } + if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset)) + dns_rdataset_disassociate(ardataset); return (result); }